A complex large-scale campaign was detected by Unit 42 researchers that manipulated and extorted several organizations using cloud systems.
Security analysts discovered this massive, large-scale cyber attack on AWS cloud environments had over 230 million unique targets.
The attackers crafted a smart tactic of exploiting exposed environment variable (.env) files on misconfigured cloud infrastructures.
These .env files, often overlooked in security measures, contained confidential data such as access codes to different programs and services.
This allowed the hackers to gain unauthorized entry into the victims’ systems, through which they infiltrated further into the networks.
Technical Analysis
The threat actors utilized automated tools to check for 10,000 domains and access publicly exposed .env files that contained critical information.
Once in, they started by conducting extensive reconnaissance of the breached environments using AWS API calls such as GetCallerIdentity, ListUsers, and ListBuckets.
The next thing that happened was the actors elevated their privileges by forming new IAM roles that had full administrative rights on them and this showed how they understood AWS IAM elements well.
They then proceeded to deploy Lambda functions that were maliciously designed to perform recursive scans for more .env files across multiple Amazon Web Services regions including a particular focus on Mailgun credentials useful for a large-scale phishing campaign.
The huge reach of the campaign was visible in that as they were able to access .env files in over 110,000 domains and had a target list that surpassed 230 million unique endpoints.
The operation finished with data exfiltration into S3 buckets controlled by attackers.
.webp)
Such sophisticated attack tactics highlight the importance of implementing sturdy IAM policies, keeping an eye on cloud activities at all times, and observing a very demanding security approach for configuration files to avoid unauthorized entry and risks concerning data loss or leakage in cloud environments.
“Following the threat actor’s discovery operations, they identified that the original IAM credential used to gain initial access to the cloud environment did not have administrator access to all cloud resources. We determined that the attackers discovered the original IAM role used for initial access did have the permissions to both create new IAM roles and attach IAM policies to existing roles. ” Palo Alto research.
This cloud-based extortion campaign revealed sophisticated tactics in data exfiltration and operational security.
